<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>SSL certificate API | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'security-api-ssl.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-ssl.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-ssl.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/security-api-ssl.html" rel="nofollow" target="_blank">../en/security-api-ssl.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="rest-apis.html">REST APIs</a></span>
»
<span class="breadcrumb-link"><a href="security-api.html">Security APIs</a></span>
»
<span class="breadcrumb-node">SSL certificate API</span>
</div>
<div class="navheader">
<span class="prev">
<a href="security-api-saml-invalidate.html">« SAML invalidate API</a>
</span>
<span class="next">
<a href="snapshot-restore-apis.html">Snapshot and restore APIs »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="security-api-ssl"></a>SSL certificate API<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/ssl.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>

<p>The <code class="literal">certificates</code> API enables you to retrieve information about the X.509
certificates that are used to encrypt communications in your Elasticsearch cluster.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-ssl-request"></a>Request<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/ssl.asciidoc">edit</a>
</h3>
</div></div></div>
<p><code class="literal">GET /_ssl/certificates</code></p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-ssl-prereqs"></a>Prerequisites<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/ssl.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
If the security features are enabled, you must have <code class="literal">monitor</code> cluster
privileges to use this API. For more information, see
<a class="xref" href="security-privileges.html" title="Security privileges">Security privileges</a>.
</li>
</ul>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-ssl-desc"></a>Description<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/ssl.asciidoc">edit</a>
</h3>
</div></div></div>
<p>For more information about how certificates are configured in conjunction with
Transport Layer Security (TLS), see
<a class="xref" href="ssl-tls.html" title="Setting up TLS on a cluster">Setting up TLS on a cluster</a>.</p>
<p>The API returns a list that includes certificates from all TLS contexts
including:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Settings for transport and HTTP interfaces
</li>
<li class="listitem">
TLS settings that are used within authentication realms
</li>
<li class="listitem">
TLS settings for remote monitoring exporters
</li>
</ul>
</div>
<p>The list includes certificates that are used for configuring trust, such as
those configured in the <code class="literal">xpack.security.transport.ssl.truststore</code> and
<code class="literal">xpack.security.transport.ssl.certificate_authorities</code> settings. It also
includes certificates that are used for configuring server identity, such as
<code class="literal">xpack.security.http.ssl.keystore</code> and
<code class="literal">xpack.security.http.ssl.certificate</code> settings.</p>
<p>The list does not include certificates that are sourced from the default SSL
context of the Java Runtime Environment (JRE), even if those certificates are in
use within Elasticsearch.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>When a PKCS#11 token is configured as the truststore of the JRE, the API
will return all the certificates that are included in the PKCS#11 token
irrespectively to whether these are used in the Elasticsearch TLS configuration or not.</p>
</div>
</div>
<p>If Elasticsearch is configured to use a keystore or truststore, the API output
includes all certificates in that store, even though some of the certificates
might not be in active use within the cluster.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-ssl-response-body"></a>Response body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/ssl.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The response is an array of objects, with each object representing a
single certificate. The fields in each object are:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">path</code>
</span>
</dt>
<dd>
(string) The path to the certificate, as configured in the
<code class="literal">elasticsearch.yml</code> file.
</dd>
<dt>
<span class="term">
<code class="literal">format</code>
</span>
</dt>
<dd>
(string) The format of the file. One of: <code class="literal">jks</code>, <code class="literal">PKCS12</code>, <code class="literal">PEM</code>.
</dd>
<dt>
<span class="term">
<code class="literal">alias</code>
</span>
</dt>
<dd>
(string) If the path refers to a container file (a jks keystore, or a
PKCS#12 file), the alias of the certificate. Otherwise, null.
</dd>
<dt>
<span class="term">
<code class="literal">subject_dn</code>
</span>
</dt>
<dd>
(string) The Distinguished Name of the certificate’s subject.
</dd>
<dt>
<span class="term">
<code class="literal">serial_number</code>
</span>
</dt>
<dd>
(string) The hexadecimal representation of the certificate’s
serial number.
</dd>
<dt>
<span class="term">
<code class="literal">has_private_key</code>
</span>
</dt>
<dd>
(boolean) If Elasticsearch has access to the private key for this
certificate, this field has a value of <code class="literal">true</code>.
</dd>
<dt>
<span class="term">
<code class="literal">expiry</code>
</span>
</dt>
<dd>
(string) The ISO formatted date of the certificate’s expiry
(not-after) date.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="security-api-ssl-example"></a>Examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/ssl.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The following example provides information about the certificates on a single
node of Elasticsearch:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET /_ssl/certificates</pre>
</div>
<div class="console_widget" data-snippet="snippets/2134.console"></div>
<p>The API returns the following results:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">[
  {
    "path": "certs/elastic-certificates.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
    "has_private_key": false,
    "expiry": "2021-01-15T20:42:49.000Z"
  },
  {
    "path": "certs/elastic-certificates.p12",
    "format": "PKCS12",
    "alias": "ca",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
    "has_private_key": false,
    "expiry": "2021-01-15T20:42:49.000Z"
  },
  {
    "path": "certs/elastic-certificates.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=instance",
    "serial_number": "fc1905e1494dc5230218d079c47a617088f84ce0",
    "has_private_key": true,
    "expiry": "2021-01-15T20:44:32.000Z"
  }
]</pre>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="security-api-saml-invalidate.html">« SAML invalidate API</a>
</span>
<span class="next">
<a href="snapshot-restore-apis.html">Snapshot and restore APIs »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>